help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Invalid signature or token

‎12-08-2014 05:04

‎12-08-2014 05:04

Yes, I know, there are few topic about this but mine is different 🙂

So, I'm trying to authenticate myself with python application. I read a lot OAuth process page

https://wiki.fitbit.com/display/API/OAuth+Authentication+in+the+Fitbit+API

  and I get it. So I write my code in python and did steps A,B,C,D. Now, I tryed to get access code, the "last step" (E,F) but I'm not able to understand what I wrong. I creat POST params like that

 

oauth = OAuth1(
         oauth_consumer_key="my-key",
         oauth_token="my-ouath-token",
         oauth_signature_method="HMAC-SHA1",
         oauth_signature="????????????????????",
         oauth_timestamp="137131200",
         oauth_nonce="4572616e48616d6d65724c61686176",
         oauth_version="1.0"
)

 and then I do my request

url = "https://api.fitbit.com/oauth/access_token"
r = requests.post(url, auth = oauth)

 

 

the errore is "Invalid signature or token". So, I'm going crazy for oauth_signature param. I read about and I know that it's " client (consumer) secret + access token secret and base string" but I really don't understand this guide:

https://dev.fitbit.com/apps/oauthtutorialpage

 

 

0. BASE STRING

I must create something like that by myself?

POST&https%3A%2F%2Fapi.fitbit.com%2Foauth%2Faccess_token&oauth_consumer_key%3D%26oauth_nonce%3D%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1418042721%26oauth_token%3D%26oauth_verifier%3D%26oauth_version%3D1.0

 

 

1. HOW I CAN CREATE SIGNATURE BY MYSELF

I tryed to concatenate "signature = client_secret + access_token_secret" and did "hash-SHA1"

I tryed to concatenate "signature = access_token_secret + client_secret" and did "hash-SHA1"

But they doesn't match

 

2. IS I MUST PUT IT INSIDE POST

 

3. HOW I CAN GET access_token IN PYTHON.

I did OAuth-authentication with another device but Fitbit is very hard and complicated. I really don't understand it.

 

 

I know that something is wrong,

please help me to find my error.

 

Best Answer
Labels:
0 Votes
1 REPLY 1

‎12-08-2014 09:51

‎12-08-2014 09:51

Your topic does not seems to me different anyhow. You just need to create a proper signature for your request.

Please read 

1) http://oauth.net/core/1.0a/#anchor13 for how to form the base string

2) http://oauth.net/core/1.0a/#anchor15 for how to properly sign the request

 

Also please pay attention to the [Signed with:]  value is not always [client + access token secret] - depending on what step you are you should be signing you request using different tokens.

In particular when you're making access_token request you should be signing request with [Client consumer Key Secret + Temporary Access Token secret]

 

I'd advise you to play more with Fitbit oauth 1.0a debug tool and understand how the signatures are formed and what values are used on what stages.

It's not an easy thing that most people get just right away it may take some time.

 

 

 

Ivan Bahdanau
Senior Software Developer at Fitbit
Best Answer
0 Votes